Archive for 2nd August 2017

Doing a certbot renew when a site is behind CloudFlare

I have lots of my web sites behind CloudFlare – which is nice because I get free auto-updated SSL certs and all the other benefits of CloudFlare.

But in case I want to bypass CloudFlare, I like to keep a solid SSL cert on the original server. So I logged in and ran a:

sudo certbot renew --dry-run

And got this error message:

Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure. Skipping.

The solution was to log in to CloudFlare and reconfigure my to temporarily bypass the proxy and then re-run:

sudo certbot renew --dry-run

Then the renewal worked just fine and afterwards – I restored Cloudflare as my proxy.

Of course you might need a few minutes whilst the DNS changes propagate.